Of Stack

How does JSP get that real IP address of the client

  • 2021-07-22 10:58:12
  • OfStack

In JSP, the method to get the client IP is: request. getRemoteAddr (). This method is effective in most cases, but the real IP address of the client cannot be obtained through reverse proxy software such as Apache and Squid.

If reverse proxy software is used to reverse proxy URL of http://192.168.1.110:3306/to URL of http://www. 8888. com/, the IP address obtained by the request. getRemoteAddr () method is 127.0. 0.1 or 192.168. 1.110, not the real IP of the client.

After passing through the proxy, because the middle layer is added between the client and the service, the server can't directly get the IP of the client, and the server-side application can't directly return to the client by forwarding the requested address. However, X-FORWARDED-FOR information is added to the HTTP header information of the forwarding request. Used to track the original client IP address and the server address requested by the original client. When we visit http: //www.8888. com/index. jsp/hour, Actually, our browser didn't really access the index. jsp file on the server. Instead, the proxy server first accesses http://192.168.1.110: 3306/index.jsp, and then the proxy server returns the accessed results to our browser. Because it is the proxy server that accesses index.jsp, IP obtained by request.getRemoteAddr () in index. jsp is actually the address of the proxy server, not the client.

Therefore, the method 1 to obtain the real IP address of the client can be obtained: 


public String getRemortIP(HttpServletRequest request)
{
  if (request.getHeader("x-forwarded-for") == null)
  {
    return request.getRemoteAddr();
  }
  return request.getHeader("x-forwarded-for");
}

However, when I visit http://www.xxx.com/index.jsp/, the returned IP address is always unknown, which is not 127.0. 0.1 or 192.168. 1.110 as shown above. However, when I visit http://192.168.1.110: 3306/index.jsp, I can return the real IP address of the client and write a method to verify it. The reason lies in Squid. squid. conf configuration file forwarded_for defaults to on, if forwarded_for is set to off: X-Forwarded-For: unknown

Thus, method 2 for obtaining the real IP address of the client can be obtained: 


public String getIpAddr(HttpServletRequest request)
{
  String ip = request.getHeader("x-forwarded-for");
  if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip))
  {
    ip = request.getHeader("Proxy-Client-IP");
  }
  if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip))
  {
    ip = request.getHeader("WL-Proxy-Client-IP");
  }
  if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip))
  {
    ip = request.getRemoteAddr();
  }
  return ip;
}

However, if the multi-level reverse proxy is passed, the value of X-Forwarded-For is not only one, but a string of IP values. Which is the real IP of the real client?

The answer is: take the first valid IP string that is not unknown in X-Forwarded-For.

For example: X-Forwarded-For: 192.168. 1.110, 192.168. 1.120, 192.168. 1.130, 192.168. 1.100

The true IP of the user is: 192.168. 1.110

Both of the above methods are feasible. Never use the request. getRemoteAddr () method alone to get the client IP, which is not ideal.

I hope this article is helpful to everyone's study.

Related articles: